Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac00ba28744c419c…

MALICIOUS

PDF

96.9 KB Created: 2021-09-04 02:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8f973b72efef099d12b6acf4ee518bed SHA-1: f380e3e7eab11dda88fa70a5baccd1d1645baf76 SHA-256: ac00ba28744c419c0d230872f11ee3108f572dedfc84e64344a60dc544954188
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ML classifiers and ClamAV, with heuristics indicating it's a PDF containing embedded JavaScript and acting as a link farm. The presence of an 'invoice lure' heuristic suggests a phishing pretext. The embedded JavaScript likely facilitates the download and execution of a second-stage payload from one of the numerous linked URLs, many of which point to compromised WordPress sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drisraadentalcenter.com/userfiles/file/73203366823.pdf
    • http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/27354ba50b49ad94477260b5b0add5f8/10145451525.pdf
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/1826e4d46c424d405ebb54494ae39a9c/41605166638.pdf
    • http://www.tsahimmongol.com/uploads/images/files/63105062134.pdf
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/e566d4fddb8ec519acf2f2a1774319f6/fevigomiraxaxejire.pdf
    • https://ambient-interier.cz/files/files/lokudunowevita.pdf
    • https://najlepsze-w-polsce.pl/uploads/41774237984.pdf
    • http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e69f399955d---10732460811.pdf
    • http://johnmichaelharrisonlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/70338078110.pdf
    • http://market-oborudovanie.ru/upload/file/xatuzebixozuni.pdf
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/edf79jl0o464sbc8hdhdogri87/pinefijurivabetig.pdf
    • http://kerekagy.hu/UserFiles/file/jodadebibu.pdf
    • https://taichielite.com/louis/taichi/ckfinder/userfiles/files/61034182497.pdf
    • http://scenekunstskolen-efteruddannelsen.dk/ckfinder/userfiles/files/37268251928.pdf
    • https://zivotzaokny.eu/res/file/16842621686.pdf
    • http://vallovin.it/userfiles/files/rijipajirukoze.pdf
    • http://strahovka66.ru/userfiles/file/nuzujubej.pdf
    • https://chinatupai.com/web/js/ckfinder/userfiles/files/sujileb.pdf
    • http://zonweringbelgie.eu/ckfinder/userfiles/files/wexeturabesikegewebul.pdf
    • https://aquafilling.com/userfiles/file/16518429243.pdf
    • http://leguido.net/files/datomukun.pdf
    • http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607230b45b4fb---80271419875.pdf
    • https://floridaholidayplanner.com/wp-content/plugins/super-forms/uploads/php/files/c0c48d2f82e943954fa60ec46fd2cf55/luzagukowusezatijisopuv.pdf
    • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/3e4a7faba9ae5a3ffd081d121a9f3db8/861657540.pdf
    • https://www.pension-chevaux-haras-gabereau.fr/ckfinder/userfiles/files/xipovabinapek.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=introduction+to+islamic+banking+and+finance+brian+kettell+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000114eb.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114EB 16792 bytes
font_01_sfnt_off00012d02.bin
d58d29504102c36a045496fac6b3581d743de1d269819a90c28e8a8c0b40feea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D02 11244 bytes
font_02_sfnt_off000146f4.bin
13f4cbca26ec7724367bbf9c8c9c9e09522fd2f64aaeec4e73ebdffd7c32b382		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146F4 17940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.